PT-2026-40975 · Flowiseai+2 · Flowise
Published
2026-05-14
·
Updated
2026-06-11
·
CVE-2026-42861
CVSS v3.1
9.6
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
Flowise versions prior to 3.1.2
Description
A mass assignment issue exists in the variable update endpoint '/api/v1/variables/{variableId}'. This allows authenticated users to modify server-controlled properties by including them in the JSON request body, as the backend lacks strict input validation and authorization checks. Specifically, an attacker can manipulate the
workspaceId, createdDate, and updatedDate variables. By altering the workspaceId, a user can reassign variables to arbitrary workspaces, which may lead to a bypass of tenant isolation in multi-workspace environments.Recommendations
Update to version 3.1.2.
Exploit
Fix
Improper Access Control
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Flowise